Friday, April 23, 2010

Source: Boston Talk Written Up

So Matt Wood (director of HP's Web App Sec Research Labs) and I presented at Source... and apparently the ideas are sound because I'm still having sidebar conversations about it.  TechTarget's SearchSecurity wrote us up - Click to read - and I hope to get your thoughts on the topic.

Slides won't be available publicly for a while ...but you can contact me directly (leave a comment, or email me) and I can get them to you on a personal basis.

I'm claiming that this is the future of web app security automation... agree or disagree - let's hear it.

Saturday, April 17, 2010

The Validation Fallacy

So lately I've been reading, writing, and thinking a lot about the security of your web applications.  One of the themes that has surfaced in almost every conversation is the idea of validation.  What do I mean?  I have been hearing from security managers and application testers alike that they measure their success (or the success of their web application security programs) in different ways - but all center on one vulnerabilities.

Interesting that after all these years of preaching by not only me but many others in the Information Security field we're still measuring by the number of vulnerabilities.  Forget the term vulnerability ...and I mean that in all seriousness.  Just use "security defect" - it's a much more powerful term.  Besides ... why do you even care how many vulnerabilities (OK, security defects) you find?

The validation fallacy is the belief that the value (or success) of a security program lies in the number of security defects you point out, or uncover.  So if the value of your program isn't in the number of bugs - how do you judge success or failure?

There are a few different metrics I can suggest you use which you will get significantly higher mileage out of.

First, and the one I currently use most - is the Defects over Cycles (DoC).  The DoC metric counts the number of defects over the span of several cycles of development of the same application.  If you're not decreasing the bugs over the life of an application then, as we like to say, you're doing something wrong.  The first time you run a security program you're going to come up with a mountain of defects.  More importantly, you're not going to fix all of them the first time around.  The success should be measured over time as the defects start to drop from one cycle to the next.

A sub-metric here, which is critical, is the Recurring Defect Rate (RDR).  The RDR is the measure of the defects that recur from one cycle (or release) to the next.  The RDR measures defects that are identified, closed, and re-appear again on the next release.  I would consider this one of the primary measures of success for a security program.  The reason I think the RDR is so critical is it takes into account much more than your ability to find bugs. Overall, the goal of any good security program is to not only decrease risk but to also drive education and the adoption of more secure practices throughout the enterprise.  If your developers continue to make the same mistakes over and over ...again, "you're doing something wrong".

Validation of your security program shouldn't come from the number of vulnerabilities you can put on a report.  Your validation should come from the pervasiveness of the secure mindset throughout the company from developer to program manager to senior management.

That is true validation.

Saturday, April 10, 2010

InfoSec Career Advice

There are a lot of people giving InfoSec career advice.  Every security conference it seems like has someone offering you career advice on where to work, what classes to take, what certifications to go for.

I want to take a realistic approach to Information Security career advice.  The reason there is a lot of useless InfoSec talent out there - that's right, I said it, useless - is because none of the "new blood" I'm running into has any business sense.  I'm not advocating more of the top-down management that drives people with MBAs to be security leaders, but I think it would give the security teams out there some credibility if they could speak business' language as well.

Interestingly enough, one of the more honest observations I can make is that there are a ton of corporate InfoSec analyst-level talent that are looking to push buttons, run scripts and get results.  There is a distinct lack of the analytical mind, business-level understanding and even worse ...common sense.  Working for a web app sec tools vendor is interesting because as a recent "researcher" proved via a ridiculous published report users expect to be coddled.  InfoSec analysts in corporate IT expect to buy something and have it do their job for them - they aren't expecting to think.

It's just mind-numbing that the types of things many of the more senior-level minds in InfoSec had to go through and learn not more than 8-10 years ago is just not making into the curriculum.  I had someone approach me at the last conference I spoke at and tell me that she just graduated with a degree in "information security" from some college, and was asking me where I would advise her to go work.  Her understanding was that going through school classes, and being able to write shell-scripts and analyze packets qualified her for a senior-level position with a large enterprise.  Wrong!

Being smart and having talent in technology does not a good InfoSec analyst make.  So my advice?

"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything!  Learn how the business works, learn what keeps you employed - learn how your company and business makes money."

You probably already get the technology - but can you tell me how it applies to what the business does?

Catastrophic Failure in Risk Analysis

In the early hours of the morning, as those of us in the US slept - a tragic series of events unfolded in Russia.  Poland lost an entire plane, the equivalent of Air Force One, to a fiery crash that saw the President and many of his cabinet disappear into the Russian fog and fire.

I think the BBC article says it best:
"President Lech Kaczynski and scores of other senior Polish figures have been killed in a plane crash in Russia."
Incredible, sad, and incredible.  I paused to reflect on how a tragedy like this could take place, but quickly focused on how so many senior government officials including the Polish President could be on the same rickety, 20-year-old Russian tin can.  Maybe it's just anger that my homeland is once again gripped with tragedy and sadness - maybe it's just anger at the utter idiocy of the situation.

Let me recap what makes me so angry.  Clearly someone failed at the most basic risk-analysis.  I can't believe it didn't cross someone's mind (or that it wasn't protocol) that the President and so many senior members of his governing body should not be on the same plane.  Honestly, back at my last company we joked all the time that the security team (given that there were 4 of us) shouldn't get into the same elevator ...just in case.  There was policy that the CEO and senior members of the company board could not travel together for fear of losing such a huge chunk of leadership in a tragedy.  ...but alas ... my Polish brethren just didn't think of that.

Now would be a good time to reflect upon your own risk analysis back at the office.  Do you have a policy that would protect your company, its intellectual property, and leadership in case tragedy strikes?

While you take a moment to mourn [ Monday, April 12th, 9:00am EDT - 97 seconds of silence for the 97 lives lost ] reflect back on the risk analysis you do every day and ask yourself ... "How's my risk analysis?"

Friday, April 2, 2010

[Interview] c7five -- "THOTCON co-creator and...."

So... since I'm speaking at THOTCON ( I spelled it right, see?) I think it only fitting that I give you guys an idea of what this conference is all about, and one of the creators of the soon-to-be premier midwest hacker con!

  1. First off ...who are you?  What are you (in)famous for?
    •  I am c7five. I am not sure if I am famous or (in)famous for much. Google me and let me know what you find.
  2. What sparked you to start conference?
    •  I was on the flight back from DEFCON 17 and thought "Why isn't there a hacker conference in Chicago?"
  3. What's THOTCON all about?
    •  First, it is THOTCON, not THOTCon. :-) It stands for THree-One-Two-CON. 312 is the oldest area code in Chicago. It is small venue hacking conference with a goal of putting on the best possible conference on a very limited budget. We only charged $60 for early birds and $75 for general admin. We started from scratch, used social media and a crappy website to attract 13 world-class speakers and over 200 people together on a single day in April. Given this is the very first edition of the con, we'll likely know more about what it WAS all about the next day.
  4. What's THOTCON's "unique" appeal?
    •  It is in Chicago, which is centrally located and one of the best big cities in the world. It is clean, public transit friendly, and at the end of April will be great weather for visiting. The con is also being held at a bar. Yes, that's right, you can order a drink at 10am and watch talks. It is a single track conference as well, so you don't have to jump from room to room or be worried you wont get a seat. Everyone gets a seat (or a stool).  It is being held on Friday, which means there will be plenty to do post con, the next day and night. Many people are making a weekend trip out of it.
  5. Seriously...what's with the website graphics?
    •  We purposely want to be bare-bones here. It is done in 40 column and zero graphics to be seen. You don't need to spend a lot of time or money on a website to have a great con. Next year we'll upgrade the site to 80 column.
  6. What's the toughest thing about putting together a conference?
    •  Ticket sales was the toughest challenge we had so far. Not actually selling them, but trying to sell them. We had a few false starts after getting bounced from both Paypal and Amazon payments and settled on using Showclix. They have been great to work with and it has gone smoothly (so far). The other part is selecting the right speakers. For a first time con, we actually had a ton of CFP submits. It was tough to pick the right mix of experienced speakers while giving some newcomers a chance to speak.
  7. What conferences to you go to? (or would you go to if you could?)
    •  This year I will have gone to/plan to go to Black Hat DC (I spoke there), Black Hat EU, YSTS (in Brazil; speaking there for the 2nd time), Black Hat USA, DEFCON (this year will be my 10th year going; spoke for the first time last year), and SecTor (great con in Canada).
  8. What is one trend you can easily spot (in conferences) over the last 3-5 yrs?
    •  I see them going in two different directions. There are some commercial cons popping up (i.e. SOURCE) and then there are a new batch of smaller niche cons like THOTCON and QuahogCon making their way. I think we'll see the commercial ones having a harder time than the small ones. It costs a lot more and takes a lot more work to put a commercial con together than it does a small one. Our venue costs us very little as long as people drink and eat.
  9. What blogs do you read?
    •  Only yours, man.
  10. What OS (and version) do you primarily boot into?
    •  OSX Snow Leopard
  11. [Bonus] iPhone or Droid? Why?
    • iPhone. It works. I travel a lot internationally and it also works in those places. Droid might too, I don't know. I just got an iPhone first no reason to switch right now.

Thursday, April 1, 2010

What I've Been Reading March 2010

The Information Security industry is so dynamic that many of the main-stream media outlets are simply too slow at delivering news.  How many times did you read something on ZDNet that was actually news about 3 days ago on the blogs?  The problem is, how do you stay current?  There are literally thousands of blogs out there, and many of us in the security industry constantly read, read, and read to keep up with what's going on, whats news and what's going to be in the media tomorrow - but knowing what to read is tough.

I'm going to do a monthly series on blogs I find of value - as I find them.  There are too many good blogs out there that just don't get the coverage and readership they should... so maybe some of my readers can find some new place to get their InfoSecurity 411.

If you have a blog you want to submit for this, please leave a comment, email or Twitter DM me ... I will publish your suggestions in the April edition of "What I've Been Reading"...

  • The Test Manager - A great, informative blog written by Martin Hall focusing on testing, tips and tricks and security from a test manager's perspective.  Martin is clearly qualified, to speak on the topics he writes about, and he's not going to overwhelm you with crap... overall a recommended read.
  • CounterMeasures -Rik Ferguson of Trend Micro writes a brilliant blog on all things InfoSecurity from an anti-malware company's perspective.  He's got great insight, good content, and he's just a good dude.  Lots of content you won't find anywhere else and more importantly there's always something to get you thinking...recommend this one too!
  • DarkNet - Look, I'll be honest, if you're not reading DarkNet then you're missing a metric ton of information security testing-related information from a fire hose.  This blog has something new all the time and you should be checking this in your RSS reader at least daily.
  • FireEye Malware Intelligence Lab - One of the places I turn to read about some of the nasty crap floating out there in the nether regions of the Internet... they don't update all the time but when they do the content is dead-on, informative, and useful.
  • Jack Mannino's Blog - You know Jack does he.  It's a light-hearted blog and even though Jack's a Mets fan I still recommend this one to have in your reader.